Tailscale: The VPN That Made Me Stop Port Forwarding
I used to forward ports. I used to edit SSH configs. I used to keep a text file of IP addresses for every machine I owned because I couldn't remember which was 192.168.1.47 and which was 192.168.1.52.
Tailscale replaced all of that with a single binary and about four minutes of setup.
What Tailscale Actually Is
Tailscale is a mesh VPN built on WireGuard. Every device you install it on gets a stable IP address on a private network (100.x.y.z), and every device can reach every other device directly. No central server routing your traffic. No port forwarding on your router. No exposing services to the public internet to access them from your phone.
The key distinction: traditional VPNs route all your traffic through a central point. Tailscale creates direct, encrypted connections between your devices. Your laptop talks to your home server without anything in between. The only thing Tailscale's coordination server handles is discovery — figuring out how to punch through NATs so your devices can find each other.
For solo builders running services on home hardware, this solves the fundamental access problem. Your Mac Mini is behind a router, behind your ISP's NAT, possibly behind CGNAT if you're on Starlink or T-Mobile Home Internet. Getting traffic to it from the outside used to require either a static IP, a VPN server you maintained yourself, or a reverse tunnel through something like Cloudflare.
Tailscale skips all of that.
Installation and Setup
brew install tailscaleOr download the Mac app from the App Store. On Linux:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upThat's it. Sign in with your Google, Microsoft, or GitHub account. The device joins your tailnet. Repeat on every other device you want connected — laptop, server, phone, whatever. Each one gets a 100.x.y.z address that never changes, even if your physical IP does.
Total time from zero to two devices talking to each other: under five minutes. Most of that is waiting for the Homebrew download.
MagicDNS: The Feature That Matters Most
Every device on your tailnet gets a hostname. My Mac Mini is reachable at mac-mini from any other device on the network. Not 100.64.0.12. Not 192.168.1.47. Just mac-mini.
ssh mac-mini
curl http://mac-mini:2368
ping mac-miniMagicDNS also gives you a full domain: mac-mini.tailnet-abc123.ts.net. That domain resolves to the Tailscale IP, and Tailscale will issue HTTPS certificates for it automatically via tailscale cert. Free TLS on your private network with zero configuration.
This sounds small. It changes everything about how you interact with your infrastructure. SSH configs go from twelve lines to two. Scripts that reference servers by IP become readable. You stop maintaining a mental map of which IP belongs to which machine because the names are right there.
How I Actually Use It
My setup: a MacBook Pro for development and a Mac Mini M4 as a home server. The Mac Mini runs Ghost, PostgreSQL, and a handful of other services behind a Cloudflare Tunnel for public access. Tailscale connects them privately.
Day-to-day, this means:
- SSH to the server:
ssh mac-minifrom anywhere — home, coffee shop, phone hotspot. No VPN client to connect first, no port 22 exposed to the internet. - Database access:
psql -h mac-mini -U postgresfrom my laptop. The PostgreSQL port is never exposed publicly. Only devices on my tailnet can reach it. - Web dashboards: Admin panels, monitoring tools, anything listening on a port — all accessible at
http://mac-mini:PORTfrom my laptop without forwarding anything through my router. - File transfers:
scpandrsyncover the tailnet. No intermediary, no cloud storage as a relay.
The mental model shift is significant. Before Tailscale, accessing a service on my home server from outside the house meant either exposing it publicly or maintaining an SSH tunnel. With Tailscale, every device is always reachable from every other device. You stop thinking about network topology and start thinking about services.
One detail worth knowing: Tailscale connections survive network changes. Switching from home Wi-Fi to a phone hotspot doesn't drop your SSH session. The WireGuard connection re-establishes in under a second. I've kept terminal sessions alive through three network transitions in a single afternoon.
Tailscale Serve and Funnel
Tailscale Serve lets you expose a local port to your tailnet with HTTPS, using Tailscale's built-in certificate management:
tailscale serve https / http://localhost:3000This makes https://mac-mini.tailnet-abc123.ts.net serve whatever is running on port 3000. Valid TLS certificate, automatic renewal, zero configuration. Only accessible from your tailnet.
Tailscale Funnel goes further — it exposes that same endpoint to the public internet through Tailscale's infrastructure:
tailscale funnel https / http://localhost:3000Anyone on the internet can now reach your service at https://mac-mini.tailnet-abc123.ts.net. No Cloudflare account, no tunnel daemon, no DNS records to manage.
The constraint: Funnel only works on ports 443, 8443, and 10000. You don't get a custom domain — you use the .ts.net domain Tailscale assigns. For a staging environment or a webhook endpoint, that's fine. For a production website with your own domain, you still want Cloudflare Tunnel or a traditional reverse proxy.
Tailscale vs. Cloudflare Tunnel
These tools get compared often, but they solve different problems.
| Feature | Tailscale | Cloudflare Tunnel |
|---|---|---|
| Primary use | Private device-to-device networking | Public access to services behind NAT |
| Custom domains | No (uses .ts.net) | Yes (any domain on Cloudflare DNS) |
| Public exposure | Optional (Funnel, limited ports) | Yes (full HTTP/HTTPS) |
| Private networking | Yes (core feature) | No |
| Free tier | Up to 100 devices, 3 users | Unlimited tunnels |
| Protocol | WireGuard (any TCP/UDP) | HTTP/HTTPS only |
| SSH access | Yes (native) | Via cloudflared proxy |
| Setup time | ~4 minutes | ~10 minutes |
The short version: Tailscale is for accessing your own machines privately. Cloudflare Tunnel is for letting the public access your machines. Most solo builders running home servers need both.
I use Cloudflare Tunnel to serve my public-facing sites on custom domains. I use Tailscale for everything else — SSH, database access, admin panels, inter-machine communication. They don't compete. They complement.
The Catch
Tailscale's coordination server is a hosted service. Your traffic doesn't flow through it — the WireGuard connections are peer-to-peer — but the control plane that manages device discovery, key exchange, and ACLs runs on Tailscale's infrastructure. If Tailscale has an outage, existing connections keep working, but you can't add new devices or update access rules until it's back.
If that bothers you, there's Headscale — an open-source, self-hosted implementation of the Tailscale coordination server. It works with the official Tailscale clients. I haven't switched to it because the tradeoff doesn't make sense for my use case: Tailscale's free tier covers 100 devices and 3 users, and I'd rather spend my time building products than maintaining authentication infrastructure.
The other catch is more subtle. Tailscale makes it so easy to access services across machines that you can end up with a sprawl of ports and services that are "accessible from anywhere" but not documented anywhere. A service running on port 8080 on your server is now reachable from your phone. That's power, but it's also a wider attack surface if one of your tailnet devices gets compromised. The Tailscale ACL system lets you lock this down — restricting which devices can talk to which ports — but the default is allow-all within your tailnet.
Worth configuring ACLs before your tailnet grows past 3-4 devices.
The Security Model
Every connection is encrypted with WireGuard. Keys rotate automatically. There's no way to join your tailnet without authenticating through your identity provider. If someone steals your laptop, you can remove it from the tailnet in the admin console and every other device immediately stops accepting connections from it.
Compared to the alternatives — port forwarding exposes services to the entire internet, SSH tunnels require managing keys and keeping a daemon running, traditional VPNs route everything through a bottleneck — Tailscale's security model is meaningfully better for the amount of effort required.
The practical difference: I have a PostgreSQL database running on my server that I access from my laptop. Without Tailscale, I'd either expose port 5432 to the internet (bad idea), set up an SSH tunnel every time I wanted to connect (tedious), or only access it when I'm on the same local network (limiting). With Tailscale, the port is accessible only to my devices, encrypted in transit, and I don't think about it.
Who This Is For
Any solo builder running services on more than one machine. The threshold is low — even a laptop and a single server is enough to justify the five-minute setup.
The pattern I see: you start with Tailscale for SSH access to a home server. Then you realize your database is reachable. Then your monitoring dashboards. Then you install it on your phone and check service status from bed. Then you stop port-forwarding anything and forget your router's admin password.
It's the kind of tool that quietly becomes load-bearing infrastructure. You don't notice how much you rely on it until you imagine taking it away.
The stack for a solo builder running home infrastructure in 2026: OrbStack for containers, Tailscale for private networking, Cloudflare Tunnel for public access. Three tools, zero monthly cost, and every machine you own acting like it's on the same desk.
No port forwarding. No IP address spreadsheets. No SSH tunnels you forget to start. Just a mesh that works.